The present invention generally relates to applied cryptography, and more particularly to a method and system for secure distribution and protection of encryption key information.
Asymmetric cryptography, also referred to as public-key cryptography, makes use of two types of keysxe2x80x94public keys and private keys. Each communicating unit with asymmetric cryptography capabilities always has a pair of linked but separate keys, a public key and a private key. Information encrypted by one of the keys can only be decrypted by the other part of the key pair. The public key is normally made publically available for general use. The private key however should be kept private and not known to anybody, possibly except for the person to which it belongs.
In general, asymmetric cryptography is used in two ways, as illustrated in FIGS. 1A-B:
For sending private messages (FIG. 1A): If a message or a document is encrypted by the public key, it can only be decrypted by the private key. The sender can then be assured that only the intended receiver can decrypt the message. Hence the message will be private.
For signing messages (FIG. 1B): If a message or document is encrypted by the private key, it can only be decrypted by the public key. The receiver can then be assured that it is the alleged that actually sent the message. Hence, the private key acts as a digital signature. In general, a one-way message digest algorithm is applied to the message, and then the digest is encrypted and sent together with the original message. On the receiving side, the encrypted digest is decrypted by the corresponding public key, and the digest algorithm is applied to the original message and the results compared to verify authenticity.
Asymmetric cryptography allows any person to encrypt a message or a document and send it to another person without any prior exchange or agreement.
However, how can a person, business partner or merchant be sure that the public key of another person, merchant or partner is authentic? What if someone forges a message and also forges a public key to open that message? This problem is generally solved by the use of Certificate Authorities. A Certificate Authority (CA), which is a trusted organization, verifies the credentials of people and puts its xe2x80x9cstampxe2x80x9d of approval on those credentials by issuing so-called digital certificates. A digital certificate, hereinafter simply referred to as a certificate, verifies the authenticity of a user and certifies that a certain public key belongs to a certain individual. Normally, a certificate comprises a set of information concerning the approved individual, the public key of this individual, and possibly a set of information concerning the issuer of the certificate. In general, a message digest algorithm is applied to this information, and the digest is then encrypted by the private key of the CA. In a more general sense, the certificate can be seen as a container for a public key and information on the individual to which the public key is given. The container is then signed with the digital signature of the trusted CA.
A receiver of a certificate can then decrypt the digital signature by using the public key of the CA, apply the message digest algorithm to the original certificate and compare the results to verify that the certificate is authentic. This of course assumes that the CA is indeed trusted. In the United States, a hierarchy of trusted organizations is being formed, where private and local organizations are authorized by national CAs.
The asymmetric cryptography scheme together with digital certificates is well suited for electronic commerce, on-line business transactions and secure logon to servers, and is regarded by many as a key factor to secure and flexible communication over digital networks.
Asymmetric or public-key cryptography as such is well-known in the art, originally developed already in the mid 1970s by Diffie and Hellman, and later turned into the effective and usable RSA system developed by Rivest, Shamir and Adelman.
The problem area is the distribution of encryption key information such as private keys to different systems and units and storage of the keys in the units. An individual may have several communicating units, such as mobile telephones, personal computers and personal digital assistants. It is desirable, for convenience and flexibility, that the individual can use the same private key and the same certificate, independent of the unit by which the individual is communicating. Is it possible to securely distribute a private key to one or more distributed units and keep it there in a secure manner?
Usually, the key as well as the encryption algorithm are stored as software in each communicating unit. However, the main disadvantage with this method is that there is no secure way to store sensitive information in software other than what is provided for storing data in an ordinary PC or equivalent. This means that the private key may be illegitimately accessed rather easily by a person other than the key holder. In addition, there is no simple and secure way to distribute the key to other units.
Protecting circuits, sometimes referred to as tamper-resistant hardware modules, have been used to secure private keys, for example as described in U.S. Pat. No. 5,563,950. A protecting circuit is a physically and logically encapsulated circuit. For example, a protecting circuit could be in the form of an encapsulated integrated circuit having a restricted interface and equipped with non-erasable logic and a permanent memory for storing non-erasable sensitive information. An essential characteristic is that at least a subset of the logic and the stored information is not available or visible outside of the circuit. By encapsulating at least the cryptographic engine and the private key in such hardware, it is impossible to read the key from the outside. An individual may then use the circuit and the private key encapsulated therein for cryptography. The whole encapsulated system may receive information and encrypt it with the key, or receive encrypted information and decrypt it with the key. However, this method is inflexible. An individual who owns several communicating units is required to hold as many certificates and private keys. Furthermore, if the private key is to be replaced by a new key (it is strongly recommendable to replace the private key on a regular basis), the entire unit has to be changed.
Still another known solution is to use a tamper-resistant smart card provided with a private key. This means that each unit has to be equipped with a card reader. Although smart cards offer many advantages, smart cards are also quite inconvenient. Each time asymmetric cryptography is required, the smart card has to be inserted into the card reader. In addition, if another card, e.g. an ordinary credit card, is to be used for a transaction that requires encryption, yet another card reader is required. The need for additional card readers is of course a restriction, and leads to heavier, bigger and more expensive communicating units than would have been possible otherwise. For mobile telephones, personal digital assistants and portable computers where the trend is towards smaller and smaller units, the need for a card reader becomes a problem.
The present invention overcomes these and other drawbacks of the prior art.
U.S. Pat. No. 5,517,567 relates to the distribution of a communications key from a master unit to a remote unit, and employs first and second secret numbers, a random number, and first and second intermediate numbers generated from the secret numbers and the random number. The second intermediate number is combined with the key to generate a transmission number that is sent together with the random number from the master unit to the remote unit. The remote unit is able to reproduce the key by using the random number, the transmission number and the first and second secret numbers. Each one of the master and remote units includes XOR-circuitry for exclusive OR-ing of the random number and the first secret number to generate the first intermediate number, as well as a conventional DES (symmetric) encryption unit for encrypting the first intermediate number by the second secret number to generate the second intermediate number.
U.S. Pat. No. 5,825,300 relates to a method of protected distribution of keying and certificate material between a Certificate Authority (CA) and an entity within the domain thereof. First, the CA sends keying material, including a password, to the entity via a first secure medium such as manual courier or secure mail. The receiving entity generates a public and private key pair using the keying material, and generates and protects a request for a certificate to the CA by using the keying material. The request is sent to the CA via a second secure medium, and the CA authenticates the identity of the requesting entity by requesting the public key and the address of the requesting entity, the requesting entity protects the transmission of its public key and address to the CA by using the keying material. Once the identity of the requesting entity is confirmed, the CA issues the certificate and records the public key at the CA for public use.
U.S. Pat. No. 5,781,723 relates to a system and method for self-identifying a portable information device to a computing unit. A device class tag indicative of the type of the portable information device is permanently embedded in the device. When communication is established between the portable information device and the computing unit of a Certificate Authority (CA), the portable information device sends a certificate request including the results of a mathematical operation involving the device class tag to the computing unit. The mathematical operation renders it computationally difficult or infeasible to deduce the device class tag from the result so that the device class tag is not exposed from the portable information device. The computing unit uses the tag-related portion of the message to identify the type of the portable information device, and issues a certificate confirming the identity and type of the portable information device. During subsequent transactions, the certificate can be used by the portable information device for self-identification purposes.
It is a general object of the present invention to provide secure distribution of encryption key information, such as a private key, from a distributing unit to a receiving unit, as well as secure protection of the private key therein.
In particular, it is an object of the invention to provide a key distributing system and a method for protected distribution of encryption key information.
Still another object of the invention is to facilitate replacement of a private key.
These and other objects are met by the invention as defined by the accompanying patent claims.
The present invention is based on providing each of the distributing unit and the receiving unit with a protecting circuit that holds an original private key unique for the protecting circuit. The protecting circuit of the receiving unit is associated with a certificate that holds information on the type of the protecting circuit. The protecting circuit of the distributing unit requests the certificate of the receiving unit and verifies the authenticity by using a public key, of a trusted CA, stored in the protecting circuit of the distributing unit. Next, the protecting circuit of the distributing unit determines, based on the type information of the certificate, whether the protecting circuit of the receiving unit represents a type of circuit that is acceptable for protecting the encryption key information to be distributed. If the receiving unit""s protecting circuit is found to be acceptable, the encryption key information is encrypted and transmitted thereto. The received encryption key information is decrypted and stored in the protecting circuit of the receiving unit. In this manner, encryption key information, such as a private key of an individual person, is protected during transfer and may be distributed to and securely protected in one or more receiving units.
Naturally, the encryption key information is encrypted by the public key of receiving unit""s protecting circuit, and the encrypted encryption key information is decrypted by the private key of the receiving unit""s protecting circuit.
Furthermore, the protecting circuit of the receiving unit is preferably configured to delete the encryption key information (K) received and protected therein if it receives an authenticated delete request from the unit that distributed the encryption key information. In this way, the encapsulated key can be destroyed by the owner of the device upon an authenticated delete request, and a new key can be installed by repeating the above distribution procedure, either by the same individual or by a new owner. Instead of changing the entire device as in the prior art, the key can be securely replaced in an efficient manner.
The invention offers the following advantages:
Encryption key information is protected during transfer and may be distributed to and securely protected in one or more receiving units; and
The encapsulated key can be destroyed by the owner of the device, and replaced by a new key.
Other advantages offered by the present invention will be appreciated upon reading of the below description of the embodiments of the invention.